Cyber Essentials

Cyber Essentials (CE) is a UK government scheme that organisations can (and in some cases, must) use to certify a basic level of both IT security awareness and cyber-health. It’s mostly interested in technical controls to mitigate specific, common, cyber threats.

It is thus unlike certifications such as ISO 27001 which are more concerned with identification of risk, and allow for that risk to be mitigated in non-technical ways, e.g. with policy documents that users have to be made aware of. To take a common example, Cyber Essentials states that you must “use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)“. Thus it’s no good if your users do log on with administrator-level accounts on a daily basis to perform those activities – it doesn’t matter if you’ve identified that as an acceptable business risk. You cannot pass CE if that is how you’re currently operating your IT.

I have been doing a fair amount of assessing and testing for both CE and CE+ recently, and thought some of the knowledge I have accrued might be of use to people who are considering getting certified. I have spent many (18) years designing and running large enterprise IT environments, and the last few years working for a cyber security training and consultancy company doing increasing amounts of security-related work. I am Tiger Scheme certified as a Qualified Security Team Member, which is a UK government penetration testing certification.

Cyber Essentials, if you ask the wrong people (i.e. security and IT product vendors) can be a licence to sell you all kinds of new hardware/software/devices, whereas in reality it’s often relatively easy to comply with what you almost certainly already have – albeit potentially with a few changes to your working practices. You probably know the things you’re currently doing that are bad and CE might just be the prod you need to get them changed.

Look out for further articles where I’ll explain how to get CE certified for no extra charge (except the certification fee!)

Get Certified

Once your IT and business practices comply with all the requirements for Cyber Essentials, getting certified is simply a case of selecting a suitable Certification Body, filling in a form and paying a fee of a few hundred pounds. Assuming you’re in compliance with the requirements, and you hopefully won’t fill out the form unless you know you are, you’ll shortly be awarded your certificate, be allowed to use the Cyber Essentials logo, and be added to the publicly searchable directory. Your certification lasts for 12 months, so just before your existing certification expires you need to go through the process again, ensuring you’ve kept up to date with any new or changed requirements.

You might want to consider contacting my employers, PGI, for a quote for certification and/or consultancy.

Plus

Cyber Essentials Plus is an enhanced level of certification, where you not only have to say that you comply with the requirements for CE, but you also get tested to ensure that you comply. This testing includes vulnerability scans of your internal and external infrastructure, and mobile devices. It is more expensive because you have to pay for a consultant to do the testing, some of which necessarily involves them being on site with you for a day or so. Note that this does not include a full penetration test: a vulnerability scan, as its name implies, just scans for vulnerabilities (e.g. missing security updates, misconfigured security settings), it does not try and exploit them.

CE+ is a bit like a cyber MOT for your organisation. It’s a reasonably standard set of tests that, if you’re in compliance, means you’re doing the basics right.

Required?

Sometimes, it can be a requirement to have CE or CE+. For example, the UK government requires “all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme“.

Is it for me?

CE is for everyone, from a sole trader to a large company. CE gives your customers and other organisations that you interact with a sense of reassurance that when it comes to cyber security, you’re getting the basics right – and are thus potentially safer to deal with than your competition.

I’ve also seen CE+ used by company directors as an easy and relatively inexpensive way to audit that their (often outsourced) IT is being managed sensibly when it comes to cyber security. Used in this way, it’s then giving a double benefit of being a good standardised benchmark to meet, and also getting a recognised certification.

More information?

For starters, if you’re even slightly technical (i.e. can use a computer for internet-based activities) you should really check out the Requirements for IT Infrastructure. You can also check out all the other information on the Nation Cyber Security Centre’s Cyber Essentials website. NCSC is part of GCHQ – they know what they’re talking about when it comes to Cyber stuff.

You can also ask me for advice either via the Hire Me link at the top, or by leaving a comment. You could also check out the PGI Cyber Essentials page – mention my blog if you contact them!

I’m intending to keep adding to this post as I find out new things and update more devices. This is primarily to aid me in tracking things I’ve done, what’s changed, and what’s still to do. Hopefully others might find some of this useful too.

Running multiple AntiMalware products potentially causes the “I am compatible” registry value to not work properly – one product might not be compatible but if the other is and sets the value you could end up with bluescreens after installing the security update. Luckily both mine are compatible, and one of other of them set the registry value, which I checked via RegEdit.
The presence of a DWORD value called cadca5fe-87d3-4b96-b7fb-a231484277cc and set to 0 indicates that the AntiVirus product is compatible with the update. Interestingly, my machine has that value, but it also has a subkey called cadca5fe-87d3-4b96-b7fb-a231484277cc and with the default value set to 0. I have other machine that only have Kaspersky on and these also have the value and the subkey present so I think it’s Kaspersky doing this not MalwareBytes.

I’ve installed the KB4056890 update on this machine (via WSUS) but it’s not rebooted yet. Prior to installing the update I ran the PowerShell command Get-SpeculationControlSettings and it returned the following:

This machine is running the latest available BIOS from Dell, so I’ll have to wait for a new BIOS to be able to get the updated CPU microcode to enable the hardware support (I assume).

Home PC

This has an AMD FX-8350 CPU and is running Windows 10 1709, Windows Defender, and MalwareBytes 3.2.2.2029. It had not been switched on since 3rd Jan. I turned it on on the evening of 5th Jan, and after updating the database for MalwareBytes, the registry value to enable the Windows Update to install was not present. I then updated Windows Defender’s threat definitions, the version is now 1.259.1223.0 and this has now added the registry value. The subkey with the same GUID as the value is not present on this machine, so I think my earlier suspicions about this being added by Kaspersky are correct. It’s also interesting to note that MalwareBytes does not seem to add the registry value at all.

Update 2018-01-10

Dell have now provided some pages with information about their efforts to deal with the problems:

Dell’s main Meltdown & Spectre page – this has an overview of the problem, and gives links to other pages with more specific information for PCs & thin client devices, Dell EMC hardware, VMware, and Pivotal.

Dell Consumer and Commercial product updates – this has BIOS versions or ETAs for new BIOS versions that will, in conjunction with OS updates, protect against Meltdown & Spectre. e.g. my E7450 laptop is due for a BIOS update to be released on 12th Jan 2018. Note that OS updates should be in place before the BIOS is updated.

Update 2018-01-16

Dell released a BIOS update for my E7450 work laptop on 12th Jan, version A18, which adds fixes for CVE-2017-5715 (one of the Spectre vulnerabilities) and various Intel Management Engine security issues (CVE-2017-5711 & CVE-2017-5712, CVE-2017-13077, CVE-2017-13078 & CVE-2017-13080). So this is a good thing to install ASAP.

Note that the SpeculationControl PowerShell module has been updated to version 1.0.4 since I first started this post, so you might want to do:

Update-Module -Name SpeculationControl -Force

Running Get-SpeculationControlSettings settings on my E7450 now results in the following:

Managing Office 365 manually via the portal is fine, until you get fed up with it or need to make bulk changes. Automating the licence allocation process turned out to be fairly easy, once I’d got to grips with how the PowerShell cmdlets worked.

This is nothing massively complex. My top tips are:

Make sure that you only ever specify “valid” combinations of licences – e.g. you can’t add Audio Conferencing if the user doesn’t have a Skype for Business licence. This is exactly the same as when you manage users via the Admin portal.

Get to grips with the terminology:

AccountSkuId = a code for a top level product as seen in the admin portal, for example O365_BUSINESS_PREMIUM is the Office 365 Business Premium bundle.

Plans = subcomponents of an AccountSkuId, e.g. MICROSOFTBOOKINGS is (unsurprisingly) Microsoft Bookings. By default, all plans within an AccountSkuId are enabled when you add an AccountSkuId to a user. To disable some, you create an MsolLicenseOptions object specifying the plans you want disabled.

To change the plans that are enabled/disabled within an AccountSkuId for a user, you have to remove the AccountSkuId from the user, create the MsolLicenseOptions object and then re-add the AccountSkuId specifying the MsolLicenseOptions object.

For the Msol PowerShell cmdlets, it’s “License” not “Licence”!

I’ve been meaning to do this for some time, it just feels like it should be automated, and now, for me, it is.

What it does

The script below runs as a scheduled task. It writes its actions to the Application event log. The way it works is to assume that all users in Office 365 should have a Business Premium licence, unless they’re a member of an Office 365 security group called “Unlicensed Users”. If they’re in that group, it removes all licences from them.

Events logged are as follows:

10003 – Start processing O365 Licenses

10004 – Finish processing O365 Licenses

10001 – Removed license from <User>

10002 – Added license to <User>

10005 – Failed to remove license from <User>

10006 – Failed to add license to <User>

It’s easy to filter the event log to see just the information you’re looking for, to confirm what actions have been taken, and when.

Setup

The scheduled task is set to run as a user, and I’ve created an encrypted password file whilst running as that user, the password is for the Office 365 Global Admin account that’ll be used by the script. To create the password file, use:

runas /user:<domain>\scheduled-task-user

to run a powershell prompt on the machine where the scheduled task will be run. The within that PowerShell prompt run the following:

I wanted to switch all my users over to Office 365 Business Premium. It’s a bundle deal for companies of up to 300 people. Previously I’d been separately licencing each of Office 365 ProPlus, Skype for Business and OneDrive, but the Business Premium bundle is quite a bit cheaper, and gives you lots more apps.

I wanted to migrate the users over in batches, so wrote this script to help me. I created a new Office 365 security group to ToBusPrem (you can see this name in the script), added the users I wanted to migrate into that, then ran the script.

It then gets all the users in the security group and transfers them over one by one.
Some of my users have extra licenses, e.g. Visio, Project, Audio Conferencing. The script works by removing all licenses that a user has, so I exclude Visio and Project from that list.

That won’t work for Audio Conferencing as the licence is only valid if an Office Suite licence is currently allocated. So I set a flag if Audio Conferencing is present, and use the flag to add audio conferencing back after the Business Premium licence has been added.

Yahoo is now part of Oath, which includes a load (50+) of other brands, some fairly large. You might well not want your data shared amongst them. If so, here’s some useful links to help you trawl through the various settings and try to control the spread of your personal data.

EU Oath FAQ – includes answers to questions such as “How will my information be used? How will this help me as a user?”, “What user information is being shared?”, along with some links to opt out or configure data settings.

Yahoo Privacy Controls – A list of links to various settings. Most of the links on the rest of this post have originated on this page.

Ad Interest Manager – Use this to opt out of tailored advertising. Ensure you’re logged in to your Yahoo account on the browser where you view this page or the opt-out won’t be persistent. If you’re not logged in, it’s done by setting a cookie. Due to the use of a cookie, this then only applies to the device and browser where you view this page. Also see the Ad Interest Manager FAQ. Also see how Yahoo combines data they have on you with that from other sources.

Like this:

Troy Hunt recently released over 300 million SHA1 hashes of passwords that his Have I Been Pwned website has been collecting. The site allows you to search the database to see if your passwords are included in those from many data dumps and breaches. However, putting a valid password into a third party website, even one that’s claiming to do good things (and I’m sure it is) is a bad idea. The roughly 6GB of downloads allow you to search the cache of passwords yourself, on your own machine, which is much safer.

Loading these files into an editor to use the search function is not going to be easy though, so I wrote a script to search the file piece by piece.

At the moment there are three files, and I concatenated them using the Windows copy command and the /b switch:

copy file1.txt+file2.txt+file3.txt output.txt

How it works

This PowerShell script takes two parameters: The path to the password file, and the password to search for. It converts the password into a SHA1 hash, and then searches the file looking for that hash. It’s not fast, but does give you a very rough progress bar. Use an SSD, a fast processor (with turbo capability) and if you’re going to do multiple searches, more RAM than the size of the hashes text file plus plenty of room for your OS (Windows will cache the entire file in RAM if it can). The script reports if it’s found the hash of your password or not – you can test it with a password like qwerty or 123456 just to check as these are both in there.

I’ve blogged about the issues with the well-intentioned but ill-though-out Remote Desktop Management Server concept in Windows Server 2012 (inc R2) before, trying to come up with workarounds to all the things you used to be able to do easily with tsadmin in previous version, that you now just cannot do.

Like delegate non-admin users (e.g. helpdesk, expert users) the ability to log off other users.

So here’s a PowerShell script that falls back on the (very) old but thankfully still perfectly functional quser and logoff commands. My suggestion is to create a group, put the helpdesk users who need this functionality into the group, then grant the group permission via the following command:

Once the helpdesk staff are in the group they’ll need to log off the RDS server and back on again. Now you can give them the script to run.

The script uses quser to get the current user sessions on the server where it’s being run, parses it and displays it in a GridView (with multi-select). Selected users are then logged off via the (also old) logoff Command.
Get your helpdesk user to right-click the script, select “Run with PowerShell”, then just select one or more users to log off and click “OK”.

I am fed up. This is a bit of a rant, but with good reason: companies and services that I and all of us pay good money for are not being managed properly. I say: Enough, no more excuses.

The ongoing reports in the media about assorted cyber attacks tend to all have just a few things in common:

Outdated and unsupported software

Supported software that has not been kept up to date

Administrator-level privileges routinely being used

Now this really is basic stuff.

Let’s ignore the detail of the attacks, almost none are using zero-days. That means no excuses. It just indicates lax systems management. Irresponsible, lazy, incompetent, poor resource allocation. IT departments – I blame you. Though it’s usually the managers: they hold the responsibility, and thus it is only fair to hold them accountable. And that is extremely worrying considering the human, financial and technical resources they already have at their disposal.

Let’s look at those three common issues in more detail. My solutions to these issues will be addressed in future posts.

Outdated and unsupported software

By this I am including the software that runs inside your hardware. Everything connected to your network runs software. Firewalls, printers, switches, display screens, HVAC, WiFi access points, all that BYOD stuff you got pressured into allowing because “everyone’s doing it”, storage systems, remote access controllers, your new fancy and eye-wateringly expensive security monitoring system. So none of this “oh but it’s an appliance so I don’t need to update it”. Oh yes you do, it’s probably running some version of Linux with a web interface (that’s now) full of holes. “But we bought it before anyone knew about this cyber stuff”. Right, so it’s 20 years old then? Didn’t think so. In any case, you know about it now so update it, replace it, or get it off the network.

Add this to your purchasing criteria, otherwise your next “appliance” might become a dangerous attack vector just a few weeks (if you’re unlucky) or months (lucky) after you buy it, and the only safe thing you can do is disconnect it, which tends to make these things pretty useless. And it’ll make you look stupid.

“But we didn’t have time to move off Windows XP before Microsoft cut support for it”. Rubbish. You just lack basic planning skills. Microsoft, as with many other software companies, provide support and (importantly) updates for their products based on product lifecycles. These state quite clearly when the different levels of support will end. These dates are announced when the product is first released, and historically were updated as Service Packs were released. Which means that you had many years of notice when the support end date was. Plenty for pretty much any budget or size of rollout. Note that if you’re only just now moving from XP to Windows 7 SP1 – fail – you “only” have until Jan 14th 2020, yes two and a half years, to get off it onto something newer (it was released mid 2009 – it’s currently eight years old, that is a long time in OS years!).

Oh, you could pay huge amounts of money for updates beyond the extended support date, but that’s rather adding financial injury to the insult already bestowed on your organisation by their IT management. And it doesn’t magically upgrade you to Windows “latest” – you still have to do that work yourself.

Outdated applications also make upgrading to newer OSs difficult or impossible, though there are almost invariably workarounds that range from OK to pretty nasty.

A final point to make about using outdated software is that frequently the mechanisms it uses are also outdated. Think old and compromised security protocols, requirements to access sensitive parts of the operating system, reliance on old compromised plugins and libraries, non-existence of modern security features, incompatibility with modern security features. You might have to turn off some of the security in your newer systems because otherwise all you old stuff won’t be able to talk to it! I bet you never get around to turning that on again, either.

Supported software that has not been kept up to date

“If we update it, it might break”. How about this: You don’t update it and some hacker/malware will break it for you. And break a whole load of other stuff too, and you won’t have a clue what’s been done to what, where your data’s gone/been sold, when it’ll resurface, or if you’ve even recovered properly. Assuming you do recover at all.

You do not want to be doing some crazy cocktail of updates a couple of times a year because that’s asking for trouble too. If your business units can’t tolerate a few minutes of downtime per PC and server once a month either a) they’re lying, or b) you bought the wrong system or designed it wrong.

It’s much better to just keep things up to date every month. Which in Windows, is default (i.e. it has to be deliberately disabled).

You’ll mostly be fine. In fact you’ll almost certainly be fine. I know, I’ve done this to thousands of PCs, hundreds of servers and applications with tens of thousands of users for many, many years. I am not just “lucky”.

And if you’re not fine, well that’s where good update management, recovery procedures, and SLAs with your suppliers come in. And at least you know what you did to break it. But 999 times out of a thousand nothing will break, and you’ll feel smug that you’re not getting hacked by months or years old vulnerabilities. Which makes you look stupid.

Administrator-level privileges routinely being used

Nasty, messy, dangerous, expensive. Do not give end users administrator privileges. No excuses. If they need them to run some horrible piece of software – time to update it to a slightly less horrible version (see above) or ditch it for a supplier that can actually write modern code (as opposed to something they’ve been banging away at in Visual Basic (not .NET)). If they want to run iTunes (insert any other non-work-related application here) on their work PC, either get your boss to agree with their boss that the costs involved to package, deploy and update this regularly are worth it (hint: they won’t be), or tell them “no” upfront. Simple. Running as administrator allows almost all security restrictions to be bypassed – even if your users don’t try it you can bet that bit of malware they just clicked on will.

Also, do not routinely (ideally ever) use domain administrator accounts on end-user devices. If something has managed to escalate it’s privileges locally, it is extremely easy to steal or impersonate other live credentials – and if those happen to be of a domain administrator then it’s game over. Don’t be lazy admins.

And while we’re on the subject, don’t use the same local administrator password on everything, each device should be different and should be changed regularly.

Rant over

This really is basic stuff, and yet we continue to see the reports in the news headlines. The people who should be doing taking care of this need to just actually crack on and do it. GDPR may help, but it’s really just a (very) big stick – if your personal data has been compromised, or a service you require can no longer function, the fact that a bunch of execs might go to prison still doesn’t get your data back or your service up and running again. Not until it’s scared enough of the people responsible to actually do their jobs properly, which sadly will take years.

If you work in IT and your department isn’t taking care of the above points, ask your boss why not. Get them to ask their boss why not. If you don’t like the answers (or don’t get any at all), leave before somebody tries to pin the impending disaster on you!

I’ll be posting simple methods of not getting caught out by the above points over the next few days so watch/follow/etc. so you don’t miss out.